Using AWS Lambda with AWS CloudTrail

You can enable CloudTrail in your AWS account to get logs of API calls and related
events
history in your account. CloudTrail records all of the API access events as objects
in your
Amazon S3 bucket that you specify at the time you enable CloudTrail.

You can take advantage of Amazon S3's bucket notification feature and direct Amazon
S3
to publish object-created events to AWS Lambda. Whenever CloudTrail writes logs
to your
S3 bucket, Amazon S3 can then invoke your Lambda function by passing the Amazon
S3
object-created event as a parameter. The S3 event provides information, including
the
bucket name and key name of the log object that CloudTrail created. Your Lambda
function
code can read the log object and process the access records logged by CloudTrail.
For
example, you might write Lambda function code to notify you if specific API call
was
made in your account.

In this scenario, you enable CloudTrail so it can write access logs to your S3 bucket.
As for AWS Lambda, Amazon S3 is the event source so Amazon S3 publishes events
to AWS Lambda
and invokes your Lambda function.

Amazon S3 publishes the s3:ObjectCreated:* event to AWS Lambda by
invoking the Lambda function, as specified in the bucket notification configuration.
Because the Lambda function's access permissions policy includes permissions
for
Amazon S3 to invoke the function, Amazon S3 can invoke the function.

AWS Lambda executes the Lambda function by assuming the execution role that you specified
at
the time you created the Lambda function.

The Lambda function reads the Amazon S3 event it receives as a
parameter, determines where the CloudTrail object is, reads the
CloudTrail object, and then it processes the log records in the CloudTrail object.

If the log includes a record with specific eventType and
eventSource values, it publishes the event to your Amazon SNS
topic. In Tutorial: Using AWS Lambda with AWS CloudTrail,
you subscribe to the SNS topic using the email
protocol, so you get email notifications.